I am using fastrender
to speed up startup times. One user of my app recently complained that sensitive information can be found in the source code of each page. I first could not believe that but then found out that the e-mail address is included in fastrender`s injected data.
Since I was sure I wasn’t publishing this part of the user document myself, I tried to track down which publication was responsible for publishing the e-mail address. I found out that okgrow:analytics
has a pub that publishes all e-mails it can get to the client, including those of social networks.
I disabled the package and some of the data injected for okgrow:analytics
went away. But still, the emails portion of the user document can be found in the injected code. I could not find any other publication causing this.
Is there a way to track down data that has been sent to the client, e.g. by inspecting the LiveData data structures?
Edit: I now found the real “culprit” for the emails publication:
Does anybody know why Meteor discloses the email to the client?
I also found this article: https://meteorhacks.com/instant-login-for-meteor-with-fast-render/. Obviously, the fact that FastRender auto-injects user data was meant as a “feature”.
(Still wondering how I could detect such a publication quicker, so I leave the question open.)